Teams users may be interacting with malicious or phishing URLs, which could indicate credential theft or lateral movement. SOC teams should proactively hunt for this behavior to identify potential compromise and prevent further damage in their Azure Sentinel environment.
KQL Query
//This Query uses MessageUrlInfo, MessageEvents and UrlClickEvents to find external Teams messages with low reputation URL doamins (.xyz) and identify the top 10 users clicking on them.
MessageUrlInfo
| extend Domain = extract(@"^(?:https?://)?([^/]+)", 1, Url)
| extend TLD = tostring(split(Domain, ".")[-1])
| where TLD has_any ("dev","app","zip","solutions","io","top")
| join MessageEvents on TeamsMessageId
| join UrlClickEvents on Url
| project Timestamp,Url,UrlDomain,TLD,TeamsMessageId, ReportId, Timestamp2,ActionType,AccountUpn,Workload, SenderDisplayName, SenderEmailAddress, ThreatTypes, DetectionMethods, RecipientDetails
id: 0d70619d-b6a5-4958-8721-3f4001dc0472
name: Teams users clicking on suspicious URL domains
description: |
This query helps hunt for Teams users clicking on suspicious URL domains.
description-detailed: |
This query helps hunt for Teams users clicking on suspicious URL domains using Microsoft Defender for Office 365 and Advance hunting in Microsoft Defender XDR
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- UrlClickEvents
- MessageEvents
- MessageUrlInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
//This Query uses MessageUrlInfo, MessageEvents and UrlClickEvents to find external Teams messages with low reputation URL doamins (.xyz) and identify the top 10 users clicking on them.
MessageUrlInfo
| extend Domain = extract(@"^(?:https?://)?([^/]+)", 1, Url)
| extend TLD = tostring(split(Domain, ".")[-1])
| where TLD has_any ("dev","app","zip","solutions","io","top")
| join MessageEvents on TeamsMessageId
| join UrlClickEvents on Url
| project Timestamp,Url,UrlDomain,TLD,TeamsMessageId, ReportId, Timestamp2,ActionType,AccountUpn,Workload, SenderDisplayName, SenderEmailAddress, ThreatTypes, DetectionMethods, RecipientDetails
version: 1.0.0| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Internal Training Link Shared by Admin
Description: An admin shares a legitimate training link (e.g., training.example.com) with all users via Microsoft Teams.
Filter/Exclusion: Exclude URLs that match internal domains managed by the organization (e.g., training.example.com, intranet.example.com) using a Microsoft 365 Defender URL filtering policy or Conditional Access policy.
Scenario: Scheduled Job or Automation Script
Description: A scheduled job or automation script (e.g., using Power Automate or Azure DevOps) generates a Teams message with a URL for internal tooling or CI/CD pipelines.
Filter/Exclusion: Exclude URLs that match known automation or CI/CD domains (e.g., devops.example.com, pipeline.example.com) using Microsoft 365 Defender URL filtering or custom detection rules in Microsoft Sentinel.
Scenario: User Clicking on a Legitimate Partner Link
Description: A user clicks on a link from a trusted partner (e.g., partner.example.com) that is part of a legitimate business collaboration.
Filter/Exclusion: Exclude URLs that match known partner domains using Microsoft 365 Defender URL filtering or custom exclusion lists in Microsoft Sentinel.
Scenario: User Clicking on a Shared Link from a File
Description: A user clicks on a link shared via a file (e.g., a Word document or PDF) that contains a legitimate internal URL (e.g., internal-docs.example.com).
Filter/Exclusion: Exclude URLs that match internal documentation domains using Microsoft 365 Defender URL filtering or file content inspection rules in Microsoft Sentinel.
**Scenario: User Clicking on a Link from a Known Safe Domain